New Denial-of-Service Software Found "in the Wild"

Daily News
New Denial-of-Service Software Found "in the Wild"
By Steven Bonisteel, Newsbytes
May 03, 2000

Security experts are warning system administrators to be on the lookout for a newly discovered software hackers can deploy with plans to bring targeted Internet servers to their virtual knees.

The software, discovered "in the wild" in at least one location is capable of launching the kinds of attacks that all but knocked a number of high-profile Web sites offline earlier this year--incidents that have already resulted in mischief charges being laid against a Canadian teenager.

The recently discovered software--a combination of tools being called "Mstream"--is capable of being secreted on numerous otherwise innocuous host computers as part of a coordinated campaign to that appears to originate from multiple locations and is designed to prevent the targeted computers from responding to legitimate connections. The technique is known as a distributed denial of service (DDoS) attack.

Dave Dittrich, a software engineer and consultant at the University of Washington, and three colleagues were among the first to document an analysis of Mstream, which they said was found running on a Linux-based server at the university in late April.

Over the weekend, source code for some Mstream components was posted anonymously to a pair of security-related Internet mailing lists, so Dittrich and his team quickly released a preliminary version of their findings, which described the software as "more primitive" than such better-known DDoS tools as Trin00 and variations on software known Tribe Flood Network and Stacheldraht.

Also studying Mstream after its appearance on the mailing lists were the engineers at X-Force, the research and development arm of security-software company Internet Security Systems [NASDAQ:ISSX].

Chris Rouland, X-Force director, told Newsbytes that Mstream is designed to work using a "three-tier" approach common to many of the DDoS tools. In a three-tier assault, attacks emanate from multiple "zombie" machines on which the malicious software has been installed, while the zombies receive their marching orders from a master application. That master software is itself usually installed surreptitiously on a compromised machine, making it more difficult to find the hacker, or hackers, who actually configure and trigger the attacks.

Like Trin00 and Tribe Flood Network, Rouland said, Mstream attacks slow a target machine by repeatedly sending it data requesting permission to establish communication, but providing a phony "return address." Target computers then quickly run out of available horsepower as they attempt to acknowledge requests from thousands of bogus destinations.

Rouland said ISS is about to release an Mstream-aware update to its own software that can automate the process of detecting DDoS installations and attacks. Meanwhile, X-Force is offering instructions on its Web site for administrators who want to check for Mstream manually.